from the liar-liar dept

We keep asking if the politicians supporting CISA -- the "Cybersecurity Information Sharing Act" can explain just what security breaches it would have stopped -- and they can't. Because the answer is that it wouldn't have stopped any of them. And yet, the politicians pushing CISA never seem to waste an opportunity to pretend that each new big computer hack would have been stopped if only CISA had been in place. A few months ago it was the OPM hack and, now, apparently it's the T-Mobile/Experian hack.

Both Senators Richard Burr and Dianne Feinstein (the two leading members of the Senate Intelligence Committee from each party) have been taking swings at anyone who won't support the bill, and have cited the T-Mobile customer breach as a reason to support it:

“If these special interest groups are successful in mischaracterizing this bill, which authorizes purely voluntary sharing, they will only succeed in allowing more personal information to be compromised to criminals and foreign countries.”

The Intelligence panel leaders urged action on the bill following a breach that might have exposed private data for 15 million current and prospective T-Mobile customers.

Of course, the reason that the customer data was exposed has nothing to do with CISA, which would not have stopped that breach. It had to do with Experian screwing up their encryption. If Feinstein and Burr really wanted to encourage better cybersecurity, they'd be encouraging greater encryption.

And they're not being truthful in the rest of their statement. As far as I've seen, most of the people opposing CISA are happy to admit that it's about "voluntary" sharing of information -- but they note that by taking away all liability from companies for sharing info, companies have greatly decreased incentives to protect user privacy.

And, also, all of this totally leaves out the real reason behind CISA. As was revealed this past summer, the NSA uses "cybersignatures" as selectors in searching through all of the upstream (backbone) traffic that it sniffs. Given that, what the NSA is really looking for are more "cybersignatures" in order to be able to sniff out many more things.

And guess what CISA would do? That's right, create incentives for companies to give "cybersignatures" to the NSA.

This is almost certainly why Senator Ron Wyden made it clear that CISA is a surveillance bill in disguise, because it would play right into the hands of the NSA, by giving it a way to snoop on even more communications after convincing companies to hand over "cybersignatures" that it can then use to sniff through everyone's internet traffic.

Yes, CISA is "voluntary." But it's totally about surveillance, not cybersecurity, and nothing in CISA would have prevented the T-Mobile hack or the OPM hack or any other hack. For Feinstein and Burr to suggest otherwise is totally disingenuous fluff, designed to mislead the American public and to support the NSA.

from the well,-isn't-that-grand dept

This week's big data leak comes from mobile phone provider T-Mobile, who has admitted that someone hacked into credit giant Experian and got a bunch of T-Mobile customer data. The good news? The personal data was encrypted. The bad news? Experian fucked up the encryption and so it doesn't matter:

We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach. The investigation is ongoing, but what we know right now is that the hacker acquired the records of approximately 15 million people, including new applicants requiring a credit check for service or device financing from September 1, 2013 through September 16, 2015. These records include information such as name, address and birthdate as well as encrypted fields with Social Security number and ID number (such as driver’s license or passport number), and additional information used in T-Mobile’s own credit assessment. Experian has determined that this encryption may have been compromised. We are working with Experian to take protective steps for all of these consumers as quickly as possible.

I happen to be a T-Mobile customer, and I look forward to the usual bullshit response of a year's worth of credit monitoring and promises that this will never happen again. You know, until it does.

As I've said before, I do worry about holding companies totally responsible for when they get hacked, because a determined adversary will hack into any company they want to eventually. That's just the nature of the game. But when the company appears to be totally incompetent to the point of being negligent, it seems reasonable to hold them responsible. I'm sure in the coming days we'll find out more details about how the "encryption was compromised" (and we'll also probably learn that it impacts many more people than originally claimed). But these new data breaches every week or so are starting to get ridiculous.

from the oops dept

Brian Krebs, who continues to be a one-man reporting juggernaut when it comes to revealing the practices of online criminals, has posted quite the story about how information giant Experian apparently sold a ton of consumer data to an ID theft services, Superget.info, run out of Vietnam by a guy named Hieu Minh Ngo. Ngo was just arrested, after a grand jury indictment, and the feds luring him out of Vietnam to Guam over a supposed business deal. However, more interesting is the background here, in which Ngo was apparently able to buy access to a ton of consumer data that originated from U.S. Info Search. How he got it, and Experian's involvement, was a bit complex.

Basically, U.S. Info Search had an information sharing deal with a company called Court Ventures -- who was purchased by Experian in early 2012. The deal between USIS and Court Ventures was that both parties could sell their data, but in both cases, they're supposed to only sell it to registered US businesses. Apparently Court Ventures wasn't all that careful about that requirement. It appears that Ngo convinced Court Ventures that he worked for a US-based private investigator, and that was enough for Court Ventures. Krebs spoke to the CEO of U.S. Info Search, Marc Martin, who provided more info, which he found out after hearing about all this from the Secret Service:

While the private investigator ruse may have gotten the fraudsters past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.

“The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased” Court Ventures, Martin said. “Why didn’t they question cash wires coming in every month? Experian portrays themselves as the databreach experts, and they sell identity theft protection services. How this could go on without them detecting it I don’t know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed U.S. businesses, not to someone overseas.”

There's a lot more in Krebs' piece (go read it), about what happened here (as well as more info on Ngo). But the open question is whether or not the FTC might also go after Experian for allowing this to happen. It also raises questions about how well the giant data brokers protect consumer info (answer to nearly all of those questions: they don't). Furthermore, the piece details how the FTC has been taking an increasing interest in these kinds of issues, but hasn't really done much for many years, and how that's more or less allowed these kinds of scams to happen with frightening regularity.

from the just-wondering dept

It's no secret that FreeCreditReport.com, a site owned by Experian, has always been somewhat misleading in its marketing (okay, very misleading), getting people to get a "free credit report" that is not the government mandated free credit report, and whose entire program was really about upselling people to expensive credit monitoring services. However, we noted back in March that the FTC was finally forcing the site to be more honest in its marketing -- including a clear and conspicuous link to the real free credit report offering. But now, reports are coming out that FreeCreditReport.com isn't offering anything for free any more. The report you used to get for free is now a dollar. And, even though they promise to donate that dollar to charity, it makes you wonder: could the domain name itself be considered false advertising?

Of course, the reason why Experian is charging that dollar seems even more misleading than its old advertising program:

The new F.T.C. rules went into effect on April 2, and they required sites to include a prominent notice across the top of each Web page that mentioned free reports declaring that the only authorized source under federal law for such reports is annualcreditreport.com.

Rather than include such disclosures, Experian added the $1 charge, saying that "due to federally imposed restrictions, it is no longer feasible for us to provide you" with a free credit report. And now that the report costs $1, the new F.T.C. rule would presumably no longer apply.

Yes, you read that right. It's trying to make the FTC look bad for requiring the company to actually be honest... and, in doing so, is pretending that this means it no longer has to be honest. An Experian spokesperson explained it this way:

The offer for the $1 report is very clear and in compliance with the F.T.C.'s rule," she said in an e-mail reply to questions. "There is no express or implied offer on our site for a free report."

from the it-ain't-really-free dept

It's been many years since we first wrote about the scammy services set up by the major credit reporting agencies to pretend to give you your federally guaranteed free credit report. The worst of the bunch has been FreeCreditReport.com, run by Experian, which despite its name, was actually just a way to get people to sign up for costly monthly credit monitoring services. The place to get your real free credit report is AnnualCreditReport.com, but FreeCreditReport.com tricked an awful lot of people into believing it was the real site, leading many to end up paying money (a lot of it) when they just wanted their mandated free report.

The FTC has been battling Experian and the other rating agencies for years over this blatantly misleading advertising. The misleading ads have been incredibly lucrative for Experian, who apparently has convinced an astounding 20 million people to sign up for FreeCreditReport, and spends $70 million per year in advertising to get more people to sign up. For all that, the FTC forced Experian to pay a measly $1 million in fines (and refund money to plenty of customers), but you can understand why Experian has kept up its misleading adverising.

from the oops dept

There are all sorts of questions about Lifelock, the company that claims to help protect you from identify theft. There were the stories that the founders of the company had previously been involved in identity fraud operations. And, of course, there's the whole issue with the company's CEO becoming a victim of identity fraud, while out promoting the service, by happily displaying his social security number in ads. In response to this, rather than letting the police handle the situation, the CEO hunted down the guy who impersonated him with a camera crew and coerced a "confession" out of the guy. This basically ruined the police investigation and they gave up prosecuting the case, saying that the evidence was tainted. Oh yeah, and there's the matter of the class action lawsuit against the company from customers who realized that Lifelock doesn't do much to actually prevent identity theft.

However, it's still surprising to find out that a court has ruled that Lifelock's fraud alert services are illegal. The lawsuit was brought by Experian, one of the big credit rating agencies, complaining that Lifelock abuses the fraud alert process. By law, the credit ratings agencies need to agree to put a free fraud alert on an account at the request of the account holder if they feel they're at risk of identity fraud. The alert requires anyone trying to open a new line of credit to first confirm with the customer before being able to extend the line of credit (basically, if someone tries to open a new credit card, the cardholder gets a call to make sure they really wanted it).

This is a free service, which lasts for 3 months -- at which point you need to proactively renew it. One of Lifelock's services is putting that alert on your accounts and promptly renewing it when the 3 months are up. Even though anyone can set their own up for free, for some people it's worth paying Lifelock to manage that process. Experian claimed it was an abuse, well beyond what the law was intended for, and that it was costing the company a ton of money to manage all of these requests. The judge agreed, noting that the lawmakers did not appear to intend for individuals to have middlemen place and manage fraud alerts.

While I'm somewhat skeptical of Lifelock, the idea that a company can't manage such alerts for an individual seems somewhat silly and counterproductive. The issue, though, probably isn't so much with the ruling, but with the law. Perhaps Congress should simply fix it and make it clear that if you want to pay some company to manage such alerts for you, that's perfectly fine.